The AAF supports OpenID Connect (OIDC) connectivity and operates an OpenID Provider (OP) which authenticates users who have an account at any AAF subscriber Identity Provider (IdP). This service is a production choice available to AAF subscribers to connect their OIDC services to the Federation. This is an maturing service and at this stage only supports a subset of attributes/claims (for attribute requirements outside this range, we recommend you use SAML). There are plans to integrate this service with AAF’s management tooling suite in the future.


The AAF operates the OP service without subscriber documentation or marketing. There are no service management interfaces or self-service options for registering or managing a connector. The AAF Support  is the key contact for all service requests and changes to connectors.

These are the attributes/claims Central can provide to an RP currently:
via requesting one or more of the profile 
email [email], 
phone [phone_number] or 
aueduperson [au_edu_person_shared_token] scopes.

Note: a claim for a user will only be provided if their home organisation provides the specific attribute. For example most universities will NOT provide phone numbers for their users.


Before registering an OIDC service, deployers must have sufficient experience in undertaking OIDC integration work to create their own Relying Party (RP) components with minimal help from the AAF technical team. There are several open-source libraries which implement most of the RP requirements in several languages, GitHub is an excellent resource, as is the OpenID Foundation. The AAF does not offer support or advice in this area, and the choice depends on the subscriber’s strengths and existing knowledge of OIDC integration. 

The AAF OP satisfies the OIDC conformance testing framework and passes the Authorization Code and Implicit flows. Since its inception, monitoring of this service shows that outside of a few seconds when deploying a new release, it has been highly available. The AAF monitors the OP during business hours and responds to service interruption issues promptly.


To register a new OIDC RP please contact and include the following details:

  1. The service’s redirect URL - a redirect URL based on an actual URL rather than IP address and must use HTTPS.
  2. A descriptive name for the service.
  3. The organisation name, which must be an AAF subscriber, of the service.
  4. Indicate the service’s purpose - development/testing/production-ready.
  5. Your Keybase account id to share the credentials securely

Once the technical team receives a registration, they will reach out and establish a secure messaging channel via New accounts on Keybase are currently free of charge. Over the secure communication channel, the technical team will supply values for the RP service generated during the registration process, including Client ID and secrets.


The AAF OIDC service supports querying the OP Configuration Information endpoint to retrieve the features and capabilities of the OIDC service. The AAF OP provides two endpoints, one for Production Federation and one for Test Federation, respectively:

Details for the Production Federation are here:

$ curl | jq

  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "jwks_uri": "",
  "id_token_signing_alg_values_supported": [
  "subject_types_supported": [
  "response_types_supported": [
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  "scopes_supported": [
  "userinfo_endpoint": "",
  "claim_types_supported": [
  "claims_locales_supported": [
  "claims_parameter_supported": false,
  "display_values_supported": [
  "grant_types_supported": [
  "op_policy_uri": "",
  "op_tos_uri": "",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
  "service_documentation": "",
  "token_endpoint_auth_methods_supported": [
  "ui_locales_supported": [
  "userinfo_signing_alg_values_supported": [


AAF Production OIDC Provider 

AAF Test OIDC Provider 

OpenID OIDC Developer Libraries 

OpenID OIDC Overview 

OpenID OIDC Terminology